18
December
2024

Story-Driven Scenarios Offer Dynamic Environment: InCommon’s 2024 Cyber Security Cooperation Exercise

Subscribe for more like this

Share


Estimated reading time: 3 minutes

By Kyle Lewis, Chair, Sirtfi Exercise Planning Working Group

From phishing attacks to compromised end-user devices, federation organizations have a coordinated line of defense when bad actors come after them individually or collectively. The Security Incident Response Trust Framework for Federated Identity (Sirtfi), which is part of InCommon’s Baseline Expectations for federation members, provides federation identity providers (IdPs) and service providers (SPs) with a means to communicate and coordinate security incident responses.

On November 18-22, 2024, 15 university, federation, and government security teams came together to practice coordinating responses to security incidents by participating in InCommon’s third annual cyber security cooperation exercise. During the exercise, they practiced using the REFEDS Sirtfi framework in a scripted scenario. In addition to InCommon organizations, the exercise also saw participation from the the Research and Education Advanced Network New Zealand.

Headshot of Kyle Lewis

This year’s exercise planning working group adopted a deliberate story-driven methodology of scenario development, centered around specific learning objectives. This approach resulted in a dynamic environment where each SP and IdP had different types of incidents to respond to, tied to a coherent narrative: 

  • Some IdPs reacted to phishing scenarios. 
  • Others responded to compromised end-user devices. 
  • Some SPs reacted to hostile destruction of research data scenarios. 
  • Other SPs dealt with an insider-threat scenario. 

As the story unfolded over the multiple days of the script, the IdPs with compromised credentials used Sirtfi to notify the affected SPs’ security teams. SPs practiced taking in multiple inputs from multiple IdPs, managing the unfolding event, and using Sirtfi to notify further affected parties when applicable. 

Response from the participants was positive with a shared desire to do another  exercise next year. During the feedback session, a continuing theme from last year was that this exercise helped strengthen their organizations’ internal ties between their security teams and identity and access management teams.

Looking Ahead

The Sirtfi Exercise Planning Working Group (SEPWG) plans to reconvene early next year and continue to grow and expand opportunities to practice intra- and inter-federation incident response. 

Members of the SEPWG will be guided through the story-driven methodology and have an opportunity to contribute to ‘the cookbook.’ They will also be trained on how to run such an exercise and have an opportunity to be part of the Exercise Control Cell.  Organizations contributing time to help on SEWPG will also get priority for their security teams to participate in the capstone tabletop exercise. The planned capstone event will be another distributed tabletop exercise in November 2025.

Kyle Lewis is vice president of cybersecurity strategy at InCommon Catalyst RDCT.

About the Sirtfi Exercise Working Group

The Sirtfi Exercise Working Group prepares members of the InCommon Federation community to handle a federated security incident by conducting one or more tabletop exercises to simulate aspects of responding to the real thing. Exercises are aimed to be learning opportunities, increasing familiarity with and shared understanding of key concepts and practices in the Sirtfi framework. The Sirtfi Exercise Working Group is chartered by the InCommon Community Trust and Assurance Board. Additional information is available on the working group wiki.

ICYMI